b'                                       UNITED STATES DEPARTMENT OF EDUCATION\xc2\xa0\n                                                               OFFICE\xc2\xa0OF\xc2\xa0INSPECTOR\xc2\xa0GENERAL\xc2\xa0\n                                                                                                                                           \xc2\xa0\n                                                                                              Information\xc2\xa0Technology\xc2\xa0Audit\xc2\xa0Division\xc2\xa0\n\xc2\xa0\n\n                                                                  September 12, 2011\n\n\n\nFINAL MANAGEMENT INFORMATION REPORT\n\nTo:                          James W. Runcie\n                             Acting Chief Operating Officer\n                             Federal Student Aid\n\nFrom:                        Charles E. Coe Jr. /s/\n                             Assistant Inspector General for\n                             Information Technology Audits and Computer Crime Investigations\n\nSubject:                     Survey of Federal Student Aid Contracts and Guaranty Agency Agreements that\n                             Provide Information Technology Support or Services\n                             Control Number ED-OIG/X11L0002\n\nThe purpose of this Final Management Information Report is to provide the U.S. Department\nof Education (Department), Federal Student Aid (FSA), with information that may strengthen its\ncurrent contracting process by ensuring that contracts and agreements align with Federal\nrequirements and guidance and with Department and FSA policy and procedures.1 The objective\nof our survey was to first identify all FSA contracts providing contractor information technology\n(IT) support or services2 to FSA or the Department, as well as all agreements for Guaranty\nAgencies (GA),3 which process, store, or transmit Department data through external IT systems\nas of November 1, 2010. Then, for each FSA contract identified, we determined whether the\ncurrent contract contained any language that addressed IT security and whether documentation\nexisted to support the certification and accreditation (C&A) of the contractor\xe2\x80\x99s system. For each\nGA agreement identified, we determined whether the current agreement contained any language\nthat addressed IT security.\n\nWe found that (1) 7 of the 38 IT support or service contracts reviewed did not contain any\nlanguage to address IT security; (2) 29 of the 38 contracts reviewed that were subject to the C&A\nprocess did not contain all of the documents required to support system C&A; and (3) none of\nthe agreements between FSA and the 32 GAs contained any language that addressed IT security.\n\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\n1\n  To include the E-Government Act (Public Law 107-347), security standards, and guidance issued by the National\nInstitute of Standards and Technology, Office of Management and Budget policy, the Federal Acquisition\nRegulation, and the Privacy Act of 1974.\n2\n  IT support services includes the processing, storing, or transmission of data.\n3\n  A Guaranty Agency is a public or private nonprofit entity that, consistent with 34 Code of Federal Regulations\n(C.F.R.) \xc2\xa7\xc2\xa7 682.400 et seq., performs certain administrative functions in the Federal Family Education Loan\nProgram to provide loan guarantees on loans made by private lenders and collecting or helping rehabilitate defaulted\nstudent loans.\n                                                                     \xc2\xa0\n                                                                     \xc2\xa0\nThe\xc2\xa0Department\xc2\xa0of\xc2\xa0Education\xe2\x80\x99s\xc2\xa0mission\xc2\xa0is\xc2\xa0to\xc2\xa0promote\xc2\xa0student\xc2\xa0achievement\xc2\xa0and\xc2\xa0preparation\xc2\xa0for\xc2\xa0global\xc2\xa0competitiveness\xc2\xa0by\xc2\xa0fostering\xc2\xa0educational\xc2\xa0\n                                                   excellence\xc2\xa0and\xc2\xa0ensuring\xc2\xa0equal\xc2\xa0access.\xc2\xa0\n                                                                            \xc2\xa0\n\x0cFinal Management Information Report\nControl Number \xe2\x80\x93 ED-OIG/X11L0002                                                                        Page 2 of 11\n\xc2\xa0\n\xc2\xa0\n\n\n                                                               BACKGROUND\n\n\n\nThe Department is obligated to ensure appropriate IT security for operations and assets of the\nagency. IT security requirements are outlined in Federal requirements and guidance such as the\nFederal Information Security Management Act of 2002 (FISMA)4 and publications issued by the\nNational Institute of Standards and Technology (NIST). When dealing with external entities, the\nDepartment furthers this obligation through formal agreements and contracts with these entities.\n\nFISMA requires that each Federal agency develop, document, and implement an agency-wide\nprogram providing security for the information and information systems that support the\noperations and assets of the agency. This support also includes operations and assets provided or\nmanaged by another agency, contractor, or other source. \xc2\xa0\n\nNIST, through its Computer Security Division, provides standards and technology to protect\ninformation systems against threats to the confidentiality of information, integrity of information\nand processes, and availability of information and services. These standards include Federal\nInformation Processing Standards5 (FIPS) Publications and Special Publications6 (SP).\n\nNIST FIPS Publication 200, \xe2\x80\x9cMinimum Security Requirements for Federal Information and\nInformation Systems,\xe2\x80\x9d dated March 2006, specifies minimum security requirements for\ninformation and information systems supporting the executive agencies of the Federal\ngovernment and a risk-based process for selecting the security controls necessary to satisfy the\nminimum security requirements. Two areas that specifically relate to the scope of this survey\ninclude (1) certification, accreditation, and security assessments, and (2) systems and services\nacquisition.\n\nNIST SP 800-37, Revision 1, \xe2\x80\x9cGuide for Applying the Risk Management Framework to Federal\nInformation Systems,\xe2\x80\x9d dated February 2010, establishes a common information security\nframework for the Federal government and its contractors.7 Appendix I of NIST SP 800-37,\nRevision 1, states that security requirements for external providers, including the security\ncontrols for information systems processing, storing, or transmitting of Federal information, are\nexpressed in appropriate contracts or other formal agreements. Appendix I also states that\n\n\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\n4\n  Enacted as Title III of the E-Government Act (Public Law 107-347), December 2002. \n\n5\n  FIPS Publications are issued by NIST after approval by the Secretary of Commerce pursuant to Section 5131 of\n\nthe IT Reform Act of 1996 (Public Law 104-106) and FISMA. With the passage of FISMA, there is no longer a \n\nstatutory provision to allow for agencies to waive mandatory FIPS. \n\n6\n  Special Publications present documents of general interest to the computer security community. The SP 800\n\nseries provides information on NIST\xe2\x80\x99s Information Technology Laboratory\xe2\x80\x99s research, guidelines, and outreach \n\nefforts in computer security, and its collaborative activities with industry, government, and academic organizations. \n\n7\n  Revision 1 redefined the traditional C&A process into a six-step Risk Management Framework. It replaced the \n\nMay 2004 version titled \xe2\x80\x9cGuide for the Security Certification and Accreditation of Federal Information Systems,\xe2\x80\x9d \n\nwhich defined the security accreditation package as containing a System Security Plan, Security Assessment Report,\n\nand Plan of Action and Milestones. \n\n\x0cFinal Management Information Report\nControl Number \xe2\x80\x93 ED-OIG/X11L0002                                                                    Page 3 of 11\n\xc2\xa0\n\xc2\xa0\nFISMA and Office of Management and Budget (OMB) policy require external providers of\ninformation system services handling Federal information or operating information systems on\nbehalf of the Federal government to meet the same security requirements as Federal agencies.\n\nThe SP 800-37 Risk Management Framework further states that common control providers8 are\nresponsible for:\n\n       \xef\x82\xb7      Documenting the common controls in a system security plan (SSP);\n       \xef\x82\xb7      Ensuring that required assessments of common controls are carried out by qualified\n              assessors with an appropriate level of independence defined by the organization;\n       \xef\x82\xb7      Documenting assessment findings in a security assessment report (SAR); and\n       \xef\x82\xb7      Producing a Plan of Action and Milestones (POA&M) for all controls having weaknesses\n              or deficiencies.\n\nDepartment of Education OCIO-01 \xe2\x80\x9cHandbook for Information Assurance Security Policy,\xe2\x80\x9d\ndated March 31, 2006, establishes policies required to comply with Federal laws and regulations,\nthus ensuring adequate protection of Department IT resources. Additionally, OCIO-05\n\xe2\x80\x9cHandbook for Information Technology Security Certification and Accreditation Procedures,\xe2\x80\x9d\ndated March 31, 2006, establishes a comprehensive and uniform approach to the C&A process\nfor agency systems. The handbooks are consistent with government-wide policies, standards,\nand procedures issued by OMB, NIST, the General Services Administration, and the Office of\nPersonnel Management.\n\n\n\n                                                               OBSERVATIONS\n\n\n\nWith respect to the scope of our review, we determined that 38 active FSA contracts were related\nto contractor-provided IT support or services. Of those 38 contracts, 7 of the contracts did not\naddress IT security. In addition, 29 of the 38 contracts that were subject to the C&A process did\nnot contain all of the required supporting documentation to verify that the contractor\xe2\x80\x99s system\nwas properly certified and accredited in accordance with Federal mandates. We also determined\nthat none of the GA agreements addressed IT security.\n\nReview of Contracts for IT Security Requirements\n\nAt the beginning of our survey work, FSA identified a total universe of 241 active contracts. Of\nthe 241 contracts, FSA identified that 52 of these active contracts were related to contractor-\nprovided IT support or services. For all 52 contracts, we verified which contracts were indeed\nrelated to contractor-provided IT support or services. Initially, we could not identify the systems\nthat were going to be used in performing the work specified in some of the contracts because\n\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\n8\n  A common control provider is an organizational official responsible for the development, implementation,\nassessment, and monitoring of common controls (i.e., security controls that are inherited by one or more\norganizational systems).\n\x0cFinal Management Information Report\nControl Number \xe2\x80\x93 ED-OIG/X11L0002                                                                          Page 4 of 11\n\xc2\xa0\n\xc2\xa0\nthey were not specifically identified within the contracts. Therefore, we performed extensive\nresearch to determine whether the systems were correctly identified for each contract.\n\nWe determined that 4 of the 52 contracts identified by FSA did not provide contractor IT support\nor services and, therefore, were excluded from our review. Four more of those 52 contracts were\nmultiple contracts for the same system associated with the same contractor and were also\nexcluded from our review. An FSA official identified 6 contracts for which the contractor did\nnot use a system and, therefore, the contract was not subject to the C&A process. Of the\nremaining 38 contracts, we identified 7 contracts that included no provisions to address IT\nsecurity. These seven contracts provided services such as processing and disbursement of Direct\nLoans and Federal Pell Grants; collecting enrollment data for Teacher Education Assistance for\nCollege and Higher Education Grant recipients, Direct Loan borrowers, and Department-held\nFederal Family Education Loan (FFEL) borrowers; managing student aid obligations made under\nTitle IV of the Higher Education Act of 1965, as amended; and providing operation,\nmaintenance, and development services for the Ombudsman Case Tracking System, as well as\nOmbudsman Web sites.\n\nBy not addressing IT security requirements in all IT support and service contracts and\nagreements, FSA may have insufficient assurances that systems and data, such as personally\nidentifiable information9 (PII), are protected from unauthorized access, use, disclosure,\nmodification, or destruction.\n\nCertification and Accreditation Support for Contractor Systems\n\nAs part of our survey, we also determined whether documentation existed to verify that the\ncontractors\xe2\x80\x99 systems were properly certified and accredited consistent with NIST and\nDepartment policies.\n\nTo conduct our review, we were provided access to the Operational Vulnerability Management\nSystem (OVMS) and to FSA public folders within Microsoft Outlook, which an FSA official\nsaid contained the C&A documentation for all Departmental systems. After reviewing the\ndocumentation in OVMS and Microsoft Outlook, we determined that for 29 of the 38 contracts\ncontaining systems that were subject to the C&A process, FSA did not maintain all required\ndocumentation. Specifically, we found that:\n\n       \xef\x82\xb7      1 contract (3 percent) FSA did not maintain an SSP, SAR, and POA&M;\n       \xef\x82\xb7      3 contracts (8 percent) FSA did not maintain a SAR and POA&M;\n       \xef\x82\xb7      9 contracts (24 percent) FSA did not maintain a SAR; and\n       \xef\x82\xb7      16 contracts (42 percent) FSA did not maintain a POA&M.\n\n\n\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\n9\n  PII is any information about an individual maintained by an agency, including (1) any information that can be\nused to distinguish or trace an individual\xe2\x80\x99s identity, such as name, social security number, date and place of birth,\nmother\xe2\x80\x99s maiden name, or biometric records; and (2) any other information that is linked or linkable to an\nindividual, such as medical, educational, financial, and employment information.\n\x0cFinal Management Information Report\nControl Number \xe2\x80\x93 ED-OIG/X11L0002                                                                 Page 5 of 11\n\xc2\xa0\n\xc2\xa0\nChanges to an IT system or associated IT environment can affect the accredited safeguards and\nmay result in changes to the prescribed security requirements needed for the system. Therefore,\nhaving the appropriate required documentation will help ensure that authorizing officials make\ncredible on-going risk-based decisions regarding the security state of the information systems.\n\nReview of GA Agreements for IT Security Language\n\nAs part of our survey work, we requested FSA to provide all GA agreements. As previously\nnoted, GAs process, store or transmit Department data through external IT systems. FSA\nidentified and provided agreements between itself and 32 GAs participating in the FFEL\nProgram. 10 It also provided us with all the available supporting documentation it had for these\nagreements. For all the GA agreement documentation we reviewed, we found that none of the\nGA agreements addressed IT security. However, during our survey, we were informed that FSA\nwas in the process of establishing and incorporating IT security in all future GA agreements to\nensure compliance with Federal requirements and guidance. By including security language\nbased on Federal requirements in GA agreements, FSA can increase its assurance that the\nnecessary security controls are in place to protect information processed on behalf of the\nDepartment.\n\nIncluding Federal security language in all contracts providing IT support or services, as well as\nall agreements for GAs, will help to ensure that system data, including PII, are protected from\nunauthorized access, use, disclosure, modification, or destruction. Including the security\nlanguage also will allow for increased oversight of vendors, thus protecting FSA and the\nDepartment if security breaches occur from a vendor\xe2\x80\x99s system.\n\n\nSuggested FSA Management Actions\n\nWe suggest that the Chief Operating Officer for FSA:\n\n       1.\t Ensure all contract documentation that specifies the name of the system for which the\n           work is to be performed is accounted for in a centralized location such as the contract file\n           and is timely provided when requested.\n\nFSA Response\n\nFSA management stated that during the survey, the survey team might have had difficulty in\ndetermining whether the contracts they were reviewing were for systems services or program\nservices. They further stated that all of the contracts for system services had the names of the\nsystems included in the contracts, and that corrective action is not required.\n\n\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\n10\n   The agreements it provided were primarily basic program agreements made under 34 C.F.R. \xc2\xa7 682.401 although\nsome of the agreements included additional provisions. However, from our review, not all documentation was\nincluded with each agreement. For example, for some of the agreements, we noted the attachments cited were\nmissing.\n\x0cFinal Management Information Report\nControl Number \xe2\x80\x93 ED-OIG/X11L0002                                                       Page 6 of 11\n\xc2\xa0\n\xc2\xa0\nOIG Response\n\nThe survey team worked with FSA staff to identify which contracts were for system services.\nOnce FSA identified these contracts, we requested all documentation for each of the contracts.\nWe were provided the hardcopy documentation for each of the contract files. Our review\nshowed that for some of the contracts, names of the systems were not in the documentation we\nwere provided. This condition was noted in the discussion draft that was provided to FSA\nmanagement on June 27, 2011. During the exit briefing on June 30, 2011, FSA management did\nnot indicate that documentation showing system names for the questioned contracts was\navailable. On July 13, 2011, we issued our draft report. In its management response on\nAugust 4, 2011, FSA management stated that system names were included in all contracts for\nsystem services. However, it still did not provide the supporting documentation. Therefore, if\nthis documentation existed outside of the contract files we reviewed, it needs to be accounted for\nin a centralized location. In our draft report, this management action originally suggested that\nFSA ensure that contracts specify the name of the system for which the work is to be performed.\nWe have revised Suggestion 1. to address this issue.\n\n   2.\t Ensure that all contract documentation showing provisions to address IT security is\n       accounted for in a centralized location such as the contract file and is timely provided\n       when requested.\n\nFSA Response\n\nFSA management stated that after the release of the draft Management Information Report, all of\nFSA\xe2\x80\x99s current contracts contain IT security requirements and requested that this finding and\nSuggestion 2. be removed.\n\nOIG Response\n\nOn January 21, 2011, when we first identified the seven contracts that did not contain\ndocumentation showing provisions to address IT security, while we were on site, we contacted\nour FSA point of contact to verify whether any documentation was missing. We did not receive\nany documentation. This condition was noted in the discussion draft that was provided to FSA\nmanagement on June 27, 2011. On June 28, 2011, FSA personnel contacted OIG to request the\ninformation for the seven contracts. During the exit briefing on June 30, 2011, FSA management\ndid not indicate that documentation showing provisions addressing IT security was available for\nthe seven questioned contracts. On July 13, 2011, we issued our draft report. On July 15, 2011,\nFSA provided OIG documentation of provisions addressing IT security for the seven contracts.\nThis documentation was not included in the contract files we reviewed and should have been\naccounted for in a centralized location. In our draft report, this management action originally\nsuggested that FSA modify current contracts to appropriately address IT security and ensure that\nfuture contracts address IT security. We have revised Suggestion 2. to address this issue.\n\n   3.\t Ensure that all required C&A documentation can be readily located for the systems\n       identified in the contract for which work is to be performed.\n\x0cFinal Management Information Report\nControl Number \xe2\x80\x93 ED-OIG/X11L0002                                                      Page 7 of 11\n\xc2\xa0\n\xc2\xa0\nFSA Response\n\nFSA stated that after the draft report was issued, it located the documents in OVMS and Outlook\npublic folders. FSA is currently taking steps to store all of the records in OVMS and it expects\nto complete this project by the fall of 2011.\n\nOIG Response\n\nThe survey team worked with FSA staff to locate C&A documents. However, by the end of\nsurvey, we still could not locate nor were we provided with the missing documents. After the\nissuance of the discussion draft, FSA requested and was provided an inventory of the missing\nC&A documents. During the exit briefing, the existence of these documents in OVMS and\nOutlook public folders was still not brought to our attention by FSA management. After the\nissuance of the draft report, FSA worked with the survey team to locate these documents. For\nC&A documents in Outlook public folders, we noticed that a user needed to access many\ndifferent levels/folders to locate the documentation. Also, if a user did not know the exact\nfolders users needed to access, the C&A documents could not easily be located. In addition, we\nnoticed that for some C&A documents, there was not a standard naming convention that could\neasily identify the content of the document, further complicating our search for specific\ndocumentation. FSA\xe2\x80\x99s action to migrate documents housed in the Outlook public folders into\nOVMS will make these documents easier to locate. In our draft report, this management action\noriginally suggested that FSA ensure that all required C&A documentation exists for the systems\nidentified in the contract for which work is to be performed. We have revised Suggestion 3. to\naddress this issue.\n\n   4.\t Create a centralized repository for all C&A information. This will ensure that all \n\n       applicable C&A documentation is complete and can be readily located. \n\n\nFSA Response\n\nFSA management stated that it had implemented a centralized repository for all system related\nsecurity documentation approximately 6 years ago in Outlook public folders for each system in\nFSA. OVMS had become FSA\xe2\x80\x99s central repository when it was able to capture C&A\ninformation in OVMS. FSA is currently moving the Outlook documents into OVMS and\nexpects this transition to be completed by October 2011.\n\nOIG Response\n\nDuring our review, we found that C&A documentation was maintained in both the Outlook\npublic folders and OVMS and not in a central repository. We found that documentation could\nnot be readily located and we had to search both systems to locate a document. As cited in the\nsuggested management action above, when using the Outlook public folders, the survey team\nencountered difficulty in locating C&A documentation. Centralizing C&A documentation into\none repository will ensure that complete and up-to-date documentation can be readily located.\nWe agree with FSA\xe2\x80\x99s corrective action to address this issue.\n\x0cFinal Management Information Report\nControl Number \xe2\x80\x93 ED-OIG/X11L0002                                                         Page 8 of 11\n\xc2\xa0\n\xc2\xa0\n   5. Ensure that existing and future GA agreements account for IT security.\n\nFSA Response\n\nFSA management stated that it will modify each guaranty agency\xe2\x80\x99s agreement to include a provision\nthat addresses IT security to ensure that system data maintained by each agency, including PII, are\nprotected.\n\nOIG Response\n\nAlthough we agree with FSA\xe2\x80\x99s corrective action to address this issue, a completion date for this\naction is needed.\n\x0cFinal Management Information Report\nControl Number \xe2\x80\x93 ED-OIG/X11L0002                                                                 Page 9 of 11\n\xc2\xa0\n\xc2\xa0\n\n\n                                    OBJECTIVE, SCOPE, AND METHODOLOGY \n\n\n\nThe objective of our survey was to first identify all FSA contracts providing contractor IT\nsupport or services to FSA or the Department, as well as all agreements for GA, which process,\nstore, or transmit Department data through external IT systems as of November 1, 2010. Then,\nfor each FSA contract identified, we determined whether the current contract contained any\nlanguage that addressed IT security and whether documentation existed to support the C&A of\nthe contractor\xe2\x80\x99s system. For each GA agreement identified, we determined whether the current\nagreement contained any language that addressed IT security. To satisfy this objective, we:\n\n       \xef\x82\xb7      reviewed applicable Federal requirements and guidance and Departmental policies and\n              procedures;\n       \xef\x82\xb7      reviewed related Office of Inspector General (OIG) management information and audit\n              reports and special projects;11\n       \xef\x82\xb7      reviewed the FY 2009 FISMA Annual Report relating to interconnection agreements,\n              privacy impact assessments, and IT system certification and accreditation;\n       \xef\x82\xb7      reviewed the FY 2010 FISMA Annual Report relating to IT system certification and\n              accreditation;\n       \xef\x82\xb7      conducted interviews with FSA management and staff responsible for managing FSA\n              contracts and guaranty agreements; and\n       \xef\x82\xb7      evaluated relevant contracts, GA agreements, and supporting documentation to assess\n              whether contracts and GA agreements appropriately address IT security.\n\nAdditional information on the scope and methodology is presented below.\n\nContract Review\n\nWe met with FSA contracting officials to identify all current contracts that provide some level of\nIT support to include processing, storing, or transmitting data on behalf of FSA or the\nDepartment. We received an initial list of 241 active FSA contracts. We reviewed all\ndocumentation for all 52 contracts that were related to contractor-provided IT support or services\nbut focused on the Statements of Work (SOW)/Statements of Objectives (SOO) to determine\nwhich contracts were relevant to our objectives. After reviewing the SOW/SOOs for each\ncontract file, we determined that 38 of those contracts met our objectives based on the NIST\n\n\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\n11\n   \xe2\x80\x9cFederal Student Aid\xe2\x80\x99s Efforts to Ensure the Effective Processing of Student Loans Under the Direct Loan\nProgram,\xe2\x80\x9d ED-OIG-X19K0008 (Management Information Report), dated September 16, 2010; \xe2\x80\x9cSystem Application\nControls over the Financial Management System,\xe2\x80\x9d ED-OIG-A11J0005 (Audit Report), dated September 2010;\n\xe2\x80\x9cSecurity over Certification and Accreditation for Information Systems,\xe2\x80\x9d ED-OIG-A11J0001 (Audit Report), dated\nOctober 13, 2009; \xe2\x80\x9cIncident Handling and Privacy Act Controls over External Web Sites,\xe2\x80\x9d ED-OIG-A11I006\n(Audit Report), dated June 10, 2009; 2009 FISMA Annual Report, ED-OIG-S11J0008 (Special Project), dated\nNovember 17, 2009 and 2010 FISMA Annual Report, ED-OIG-S11K0002 (Special Project), dated\nNovember 12, 2010.\n\x0cFinal Management Information Report\nControl Number \xe2\x80\x93 ED-OIG/X11L0002                                                      Page 10 of 11\n\xc2\xa0\n\xc2\xa0\nguidance identified in the background section. We also met with FSA contracting officials to\ndiscuss the documentation that supported the C&A process. For each contract file, we\ndetermined whether a SSP, SAR, and POA&M existed for each contractor system.\n\nGA Agreements Review\n\nWe met with FSA contracting officials to identify all GA agreements that existed between FSA\nand the GAs. FSA also provided the supporting documentation for the GA agreements. We\nreviewed the agreements and all supporting documentation to determine whether IT security\nlanguage was included in the GA agreements.\n\nOur fieldwork was conducted from November 2010 through March 2011 at FSA contract offices\nlocated in Washington, D.C. An exit conference with FSA contract officials was held on\nJune 30, 2011. We conducted our work in accordance with the OIG quality standards for\nManagement Information Reports.\n\nIf you have any questions, please call Joseph Maranto, Director, Information Technology Audit\nDivision, at 202-245-7044.\n\ncc: \t   Richard Gordon, Chief Information Officer, Federal Student Aid\xc2\xa0\xc2\xa0\n        Jay Hurt, Chief Financial Officer, Federal Student Aid\n        Bucky Methfessel, Senior Counsel for Information Technology, Office of General\n        Counsel\n        Marge White, Audit Liaison for FSA\n\n\nAttachment\n\x0cFinal Management Information Report\nControl Number \xe2\x80\x93 ED-OIG/X11L0002                                          Page 11 of 11\n\xc2\xa0\n\xc2\xa0\n                                                                          Attachment\n\n                 Abbreviations/Acronyms/Short Forms Used in this Report\n\nC&A           Certification and Accreditation\n\nC.F.R.        Code of Federal Regulations\n\nDepartment    U.S. Department of Education\n\nFFEL          Federal Family Education Loan\n\nFIPS          Federal Information Processing Standards\n\nFISMA         Federal Information Security Management Act of 2002\n\nFSA           Federal Student Aid\n\nGA            Guaranty Agency\n\nIT            Information Technology\n\nNIST          National Institute of Standards and Technology\n\nOIG           Office of Inspector General\n\nOMB           Office of Management and Budget\n\nOVMS          Operational Vulnerability Management System\n\nPII           Personally Identifiable Information\n\nPOA&M         Plan of Action and Milestones\n\nSAR           Security Assessment Report\n\nSOO           Statements of Objectives\n\nSOW           Statement of Work\n\nSP            Special Publications\n\nSSP           System Security Plan\n\x0c'